I am using http://en.wikipedia.org/wiki/Openvz and thus I have a bunch
of VEs (Virtual Environments) running atop the HN (Hardware Node) --
each VE then appears/feels like a stand-alone Linux. The systems are
Debian -- HN and VEs.
Note: With OpenVZ there is always just one HN and usually one or more
VEs. Of course, there might be no VE at all but ...
I do all the firewalling on the HN i.e. the VEs are protected by using
iptables rules within the FORWARD chain of the filter table on the HN.
There is no need to do additional firewalling within the VEs itself.
Now that this is working excellent, I want to plug fwknop into that
setup of mine. Of course, I do not want to start firewalling within the
VEs, rather, it must be possible to only run fwknopd on the HN and
protect all VEs with this one instance of fwknopd on the HN.
I already installed fwknop-server (the Debian package containing
fwknopd) on the HN. I also started reading man files and the docu on
http://www.cipherdyne.org/fwknop/ as well as the config files that come
with fwknop-{server,client}.
So far so good ... I figure it is possible to only run fwknopd on the HN
and enable the setup to use FORWARD. /etc/fwknop/fwknop.conf says:
### Allow SPA clients to request access to services through an
### iptables firewall instead of just to it (i.e. access through the
### FWKNOP_FORWARD chain instead of the INPUT chain). This also
### requires the ENABLE_FORWARD_ACCESS variable to be set in the
### access.conf file for the specific SOURCE stanzas that should be
### allowed for forwarding access.
ENABLE_IPT_FORWARDING N;
So I set ENABLE_IPT_FORWARDING N; to ENABLE_IPT_FORWARDING Y; and then
... well, that is where I am not sure anymore how to proceed. My current
understanding is to put ENABLE_FORWARD_ACCESS into
/etc/fwknop/access.conf. However, looking at the examples in
/usr/share/doc/fwknop-server/README.ACCESS I could not fine an example
that would mention my use case.
Can anyone help me to reach my goal i.e. integrate fwknopd into my
forwarding setup?
Also, I would like to also protect the sshd running on the HN not just
the sshds running within the VEs. Is that possible with just one fwknopd
running on the HN?